You can use Tracefmt to format trace messages from real-time trace sessions in addition to trace log files.
The following sequence of commands uses Tracelog and Tracefmt. The first command uses Tracelog to start a real-time trace session with the Tracedrv sample trace provider. TraceDrv, a sample driver that was designed for software tracing, is available in the Windows driver samples repository on GitHub.
tracelog -start MyTrace -guid tracedrv.ctl -flag 1 -rt
This command starts a trace session called MyTrace. It uses the -guid parameter to identify the trace provider, Tracedrv.sys, by using its control GUID file, tracedrv.ctl. It uses the -flag parameter to set the trace flag value to 1. It uses the -rt parameter to start a trace session that delivers messages directly to a trace consumer, such as Tracefmt. Without the -rt parameter, the trace provider would send messages only to a log file.
The next command uses Tracefmt to format the messages generated by Tracedrv during the MyTrace trace session.
tracefmt -rt MyTrace -p c:\tracing -o mytrace.txt
This Tracefmt command uses the -rt parameter to identify the real-time trace session, MyTrace, and the -p parameter to specify the directory in which the TMF file for Tracedrv.sys is located. The -o parameter directs the output to the mytrace.txt file in the local directory.
In response to this command, Tracefmt prepares to format the trace messages in real time. It displays the following status messages, but does not return to the command prompt:
c:\tracetools>tracefmt -rt mytrace -display -o mytrace.txt Setting RealTime mode for mytrace Getting guids from c:\tracetools\default.tmf
The following Tracelog command stops the MyTrace trace session. You must type the command in a different Command Prompt window.
tracelog -stop mytrace
When the trace session stops, Tracefmt reports that it wrote the trace messages to the output file, and then returns to the command prompt.
Event traces dumped to mytrace.txt Event Summary dumped to mytrace.txt.sum